DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT <http://nagoya.apache.org/bugzilla/show_bug.cgi?id=10135>. ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND INSERTED IN THE BUG DATABASE.
http://nagoya.apache.org/bugzilla/show_bug.cgi?id=10135 users can view other user's web files through apache/php rights Summary: users can view other user's web files through apache/php rights Product: Apache httpd-1.3 Version: 1.3.23 Platform: PC OS/Version: Linux Status: NEW Severity: Major Priority: Other Component: Auth/Access AssignedTo: bugs@httpd.apache.org ReportedBy: [EMAIL PROTECTED] Hi. Suppose we have a dedicated web server with 100 (or more) users. We configure Apache so it will see every user's web files. So we have user x and user y, User x cannot see or read the y's web files or other files, but he is smart and somehow finds a mode to break into y's web (especially in the case with /home/y/public_html setting --- every user knows that user xxyy has an public_html in his home dir, so he exploits it). How ? By Apache's rights. Does Apache have the rights to read ALL USERS web files ? YES. So x makes a browsing system and he uses Apache's rights to read ALL USERS web files for reading y's web files. So x reads x's config.php (or anything else) and he finds out the database user and pass. What next ? So, I tink it's a bad thing (in fact it's a major security problem) for php and Apache to use general rights for every user. Can Apache be configured as an user-level multi-user-threaded server or this is a SECURITY BUG ? I think someone (at least PHP&Apache) cares. Best regards Tudor Palanga. --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]